The 360 Vulcan team discovered a series of critical vulnerabilities in EOS, which is about to launch its mainnet on 2nd June. It has been verified that some of these vulnerabilities can remotely execute arbitrary code on the EOS node, which allows attackers to take over all nodes running on EOS remotely.
360 security has reported the vulnerability to EOS team and helped them fix the bug. According to EOS, the mainnet will not be launched until these issues are resolved.
In the simulated attack, an attacker constructs and publishes a smart contract containing malicious code. The EOS supernode will execute this malicious contract and the security bug will be triggered. Once infected, the attacker can control the supernode to generate a new block containing the malicious code, which will cause all full nodes in the network (Supernode candidate, exchange node, wallet provider node, etc.) to be controlled remotely.
Since the system is completely controlled, the attacker can “do whatever he wants”, such as stealing the private key of the EOS supernode, controlling transaction of the EOS network; acquiring other financial and private data in the EOS network, such as an exchange’s cryptocurrency, user’s private key stored in the wallet, user profiles, private data and more. Attacker can even turn EOS network into a botnet to mine other cryptocurrencies. Read also: 360 Security: DDG Collected Over 3,395 XMR, the 2nd largest mining botnet.
Daniel Larimer, founder of EOS, tweeted about 8 hours ago:
“Help us find critical bugs in #EOSIO before our 1.0 release. $10K for every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts. Offer subject to change, ID required, validity decided at the sole discretion of Block One.”
According to the time-frame provided by both parties, bytemaster may release the bounty after he learned the critical bug submitted by 360 Security. Dawn, the 1.0 version of EOS, might have to be postponed.
Debuted in 2006, 360 security has grown into the #1 vendor of anti virus software in China. The company offered the first insurance against bitcoin ransomware in 2016. Cryptocurrency security is of higher concern due to the heavy stake it may involve.
1. Chatlog indicate that the critical bug has been leaked to some media prior to the official news:
2. According to Bohe@Mixin:
“The bug was not found on the GitHub and therefore there is no “fixing”. 2 BM is still asleep. The testnet was shut down last night ( It was accessible for test purpose earlier.). 3. There is no such a person as “EOS Official”
3. According to the latest update from 0daily, 360 Security has contacted BM directly via telegram and showed him the demo video. The vulnerability was fixed but pending for further review. EOS might disclose more detail later. The vulnerability was not the only one. There are more to be submitted to EOS. It’s not certain whether the bug will delay the launch of EOS mainnet but BM said the mainnet would not be launched before these bugs were fixed.
- My Donate Address
- My Donate Address